From 16a40511de988b286a51ec906dcb7659bcc6f8e5 Mon Sep 17 00:00:00 2001 From: Yehuda Sadeh Date: Wed, 6 Feb 2019 17:21:16 -0800 Subject: [PATCH] rgw: switch to using svc.mfa Signed-off-by: Yehuda Sadeh --- src/rgw/rgw_admin.cc | 23 +++-- src/rgw/rgw_otp.cc | 5 +- src/rgw/rgw_rados.cc | 206 ------------------------------------- src/rgw/rgw_rados.h | 22 ---- src/rgw/rgw_rest_s3.cc | 3 +- src/rgw/services/svc_mfa.h | 8 +- 6 files changed, 21 insertions(+), 246 deletions(-) diff --git a/src/rgw/rgw_admin.cc b/src/rgw/rgw_admin.cc index fd38b4af4e9..b4606352643 100644 --- a/src/rgw/rgw_admin.cc +++ b/src/rgw/rgw_admin.cc @@ -58,6 +58,7 @@ extern "C" { #include "rgw_sync_module_pubsub.h" #include "services/svc_sync_modules.h" +#include "services/svc_mfa.h" #define dout_context g_ceph_context #define dout_subsys ceph_subsys_rgw @@ -7722,12 +7723,12 @@ next: } real_time mtime = real_clock::now(); - string oid = store->get_mfa_oid(user_id); + string oid = store->svc.mfa->get_mfa_oid(user_id); int ret = store->meta_mgr->mutate(rgw_otp_get_handler(), oid, mtime, &objv_tracker, MDLOG_STATUS_WRITE, RGWMetadataHandler::APPLY_ALWAYS, [&] { - return store->create_mfa(user_id, config, &objv_tracker, mtime); + return store->svc.mfa->create_mfa(user_id, config, &objv_tracker, mtime, null_yield); }); if (ret < 0) { cerr << "MFA creation failed, error: " << cpp_strerror(-ret) << std::endl; @@ -7757,12 +7758,12 @@ next: } real_time mtime = real_clock::now(); - string oid = store->get_mfa_oid(user_id); + string oid = store->svc.mfa->get_mfa_oid(user_id); int ret = store->meta_mgr->mutate(rgw_otp_get_handler(), oid, mtime, &objv_tracker, MDLOG_STATUS_WRITE, RGWMetadataHandler::APPLY_ALWAYS, [&] { - return store->remove_mfa(user_id, totp_serial, &objv_tracker, mtime); + return store->svc.mfa->remove_mfa(user_id, totp_serial, &objv_tracker, mtime, null_yield); }); if (ret < 0) { cerr << "MFA removal failed, error: " << cpp_strerror(-ret) << std::endl; @@ -7792,7 +7793,7 @@ next: } rados::cls::otp::otp_info_t result; - int ret = store->get_mfa(user_id, totp_serial, &result); + int ret = store->svc.mfa->get_mfa(user_id, totp_serial, &result, null_yield); if (ret < 0) { if (ret == -ENOENT || ret == -ENODATA) { cerr << "MFA serial id not found" << std::endl; @@ -7814,7 +7815,7 @@ next: } list result; - int ret = store->list_mfa(user_id, &result); + int ret = store->svc.mfa->list_mfa(user_id, &result, null_yield); if (ret < 0) { cerr << "MFA listing failed, error: " << cpp_strerror(-ret) << std::endl; return -ret; @@ -7842,7 +7843,7 @@ next: } list result; - int ret = store->check_mfa(user_id, totp_serial, totp_pin.front()); + int ret = store->svc.mfa->check_mfa(user_id, totp_serial, totp_pin.front(), null_yield); if (ret < 0) { cerr << "MFA check failed, error: " << cpp_strerror(-ret) << std::endl; return -ret; @@ -7867,7 +7868,7 @@ next: } rados::cls::otp::otp_info_t config; - int ret = store->get_mfa(user_id, totp_serial, &config); + int ret = store->svc.mfa->get_mfa(user_id, totp_serial, &config, null_yield); if (ret < 0) { if (ret == -ENOENT || ret == -ENODATA) { cerr << "MFA serial id not found" << std::endl; @@ -7879,7 +7880,7 @@ next: ceph::real_time now; - ret = store->otp_get_current_time(user_id, &now); + ret = store->svc.mfa->otp_get_current_time(user_id, &now, null_yield); if (ret < 0) { cerr << "ERROR: failed to fetch current time from osd: " << cpp_strerror(-ret) << std::endl; return -ret; @@ -7900,12 +7901,12 @@ next: /* now update the backend */ real_time mtime = real_clock::now(); - string oid = store->get_mfa_oid(user_id); + string oid = store->svc.mfa->get_mfa_oid(user_id); ret = store->meta_mgr->mutate(rgw_otp_get_handler(), oid, mtime, &objv_tracker, MDLOG_STATUS_WRITE, RGWMetadataHandler::APPLY_ALWAYS, [&] { - return store->create_mfa(user_id, config, &objv_tracker, mtime); + return store->svc.mfa->create_mfa(user_id, config, &objv_tracker, mtime, null_yield); }); if (ret < 0) { cerr << "MFA update failed, error: " << cpp_strerror(-ret) << std::endl; diff --git a/src/rgw/rgw_otp.cc b/src/rgw/rgw_otp.cc index e00a93441d1..224f77c6893 100644 --- a/src/rgw/rgw_otp.cc +++ b/src/rgw/rgw_otp.cc @@ -19,6 +19,7 @@ #include "rgw_tools.h" #include "services/svc_zone.h" +#include "services/svc_mfa.h" #define dout_subsys ceph_subsys_rgw @@ -51,7 +52,7 @@ public: real_time mtime; list result; - int r = store->list_mfa(entry, &result, &objv_tracker, &mtime); + int r = store->svc.mfa->list_mfa(entry, &result, &objv_tracker, &mtime, null_yield); if (r < 0) { return r; } @@ -73,7 +74,7 @@ public: int ret = store->meta_mgr->mutate(this, entry, mtime, &objv_tracker, MDLOG_STATUS_WRITE, sync_mode, [&] { - return store->set_mfa(entry, devices, true, &objv_tracker, mtime); + return store->svc.mfa->set_mfa(entry, devices, true, &objv_tracker, mtime, null_yield); }); if (ret < 0) { return ret; diff --git a/src/rgw/rgw_rados.cc b/src/rgw/rgw_rados.cc index fdace98e8a1..9abd96d5984 100644 --- a/src/rgw/rgw_rados.cc +++ b/src/rgw/rgw_rados.cc @@ -9921,209 +9921,3 @@ void RGWRados::call_zap() { } svc.cache->call_zap(); } - -string RGWRados::get_mfa_oid(const rgw_user& user) -{ - return string("user:") + user.to_str(); -} - -int RGWRados::get_mfa_ref(const rgw_user& user, rgw_rados_ref *ref) -{ - string oid = get_mfa_oid(user); - rgw_raw_obj obj(svc.zone->get_zone_params().otp_pool, oid); - return get_system_obj_ref(obj, ref); -} - -int RGWRados::check_mfa(const rgw_user& user, const string& otp_id, const string& pin) -{ - rgw_rados_ref ref; - - int r = get_mfa_ref(user, &ref); - if (r < 0) { - return r; - } - - rados::cls::otp::otp_check_t result; - - r = rados::cls::otp::OTP::check(cct, ref.ioctx, ref.obj.oid, otp_id, pin, &result); - if (r < 0) - return r; - - ldout(cct, 20) << "OTP check, otp_id=" << otp_id << " result=" << (int)result.result << dendl; - - return (result.result == rados::cls::otp::OTP_CHECK_SUCCESS ? 0 : -EACCES); -} - -void RGWRados::prepare_mfa_write(librados::ObjectWriteOperation *op, - RGWObjVersionTracker *objv_tracker, - const ceph::real_time& mtime) -{ - RGWObjVersionTracker ot; - - if (objv_tracker) { - ot = *objv_tracker; - } - - if (ot.write_version.tag.empty()) { - if (ot.read_version.tag.empty()) { - ot.generate_new_write_ver(cct); - } else { - ot.write_version = ot.read_version; - ot.write_version.ver++; - } - } - - ot.prepare_op_for_write(op); - struct timespec mtime_ts = real_clock::to_timespec(mtime); - op->mtime2(&mtime_ts); -} - -int RGWRados::create_mfa(const rgw_user& user, const rados::cls::otp::otp_info_t& config, - RGWObjVersionTracker *objv_tracker, const ceph::real_time& mtime) -{ - rgw_rados_ref ref; - - int r = get_mfa_ref(user, &ref); - if (r < 0) { - return r; - } - - librados::ObjectWriteOperation op; - prepare_mfa_write(&op, objv_tracker, mtime); - rados::cls::otp::OTP::create(&op, config); - r = ref.ioctx.operate(ref.obj.oid, &op); - if (r < 0) { - ldout(cct, 20) << "OTP create, otp_id=" << config.id << " result=" << (int)r << dendl; - return r; - } - - return 0; -} - -int RGWRados::remove_mfa(const rgw_user& user, const string& id, - RGWObjVersionTracker *objv_tracker, - const ceph::real_time& mtime) -{ - rgw_rados_ref ref; - - int r = get_mfa_ref(user, &ref); - if (r < 0) { - return r; - } - - librados::ObjectWriteOperation op; - prepare_mfa_write(&op, objv_tracker, mtime); - rados::cls::otp::OTP::remove(&op, id); - r = ref.ioctx.operate(ref.obj.oid, &op); - if (r < 0) { - ldout(cct, 20) << "OTP remove, otp_id=" << id << " result=" << (int)r << dendl; - return r; - } - - return 0; -} - -int RGWRados::get_mfa(const rgw_user& user, const string& id, rados::cls::otp::otp_info_t *result) -{ - rgw_rados_ref ref; - - int r = get_mfa_ref(user, &ref); - if (r < 0) { - return r; - } - - r = rados::cls::otp::OTP::get(nullptr, ref.ioctx, ref.obj.oid, id, result); - if (r < 0) { - return r; - } - - return 0; -} - -int RGWRados::list_mfa(const rgw_user& user, list *result) -{ - rgw_rados_ref ref; - - int r = get_mfa_ref(user, &ref); - if (r < 0) { - return r; - } - - r = rados::cls::otp::OTP::get_all(nullptr, ref.ioctx, ref.obj.oid, result); - if (r < 0) { - return r; - } - - return 0; -} - -int RGWRados::otp_get_current_time(const rgw_user& user, ceph::real_time *result) -{ - rgw_rados_ref ref; - - int r = get_mfa_ref(user, &ref); - if (r < 0) { - return r; - } - - r = rados::cls::otp::OTP::get_current_time(ref.ioctx, ref.obj.oid, result); - if (r < 0) { - return r; - } - - return 0; -} - -int RGWRados::set_mfa(const string& oid, const list& entries, - bool reset_obj, RGWObjVersionTracker *objv_tracker, - const real_time& mtime) -{ - rgw_raw_obj obj(svc.zone->get_zone_params().otp_pool, oid); - rgw_rados_ref ref; - int r = get_system_obj_ref(obj, &ref); - if (r < 0) { - return r; - } - - librados::ObjectWriteOperation op; - if (reset_obj) { - op.remove(); - op.set_op_flags2(LIBRADOS_OP_FLAG_FAILOK); - op.create(false); - } - prepare_mfa_write(&op, objv_tracker, mtime); - rados::cls::otp::OTP::set(&op, entries); - r = ref.ioctx.operate(ref.obj.oid, &op); - if (r < 0) { - ldout(cct, 20) << "OTP set entries.size()=" << entries.size() << " result=" << (int)r << dendl; - return r; - } - - return 0; -} - -int RGWRados::list_mfa(const string& oid, list *result, - RGWObjVersionTracker *objv_tracker, ceph::real_time *pmtime) -{ - rgw_raw_obj obj(svc.zone->get_zone_params().otp_pool, oid); - rgw_rados_ref ref; - int r = get_system_obj_ref(obj, &ref); - if (r < 0) { - return r; - } - librados::ObjectReadOperation op; - struct timespec mtime_ts; - if (pmtime) { - op.stat2(nullptr, &mtime_ts, nullptr); - } - objv_tracker->prepare_op_for_read(&op); - r = rados::cls::otp::OTP::get_all(&op, ref.ioctx, ref.obj.oid, result); - if (r < 0) { - return r; - } - if (pmtime) { - *pmtime = ceph::real_clock::from_timespec(mtime_ts); - } - - return 0; -} diff --git a/src/rgw/rgw_rados.h b/src/rgw/rgw_rados.h index 44a51c59302..a8d3cc6e458 100644 --- a/src/rgw/rgw_rados.h +++ b/src/rgw/rgw_rados.h @@ -1596,28 +1596,6 @@ public: list& handles, bool keep_index_consistent, optional_yield y); - /* mfa/totp stuff */ - private: - void prepare_mfa_write(librados::ObjectWriteOperation *op, - RGWObjVersionTracker *objv_tracker, - const ceph::real_time& mtime); - public: - string get_mfa_oid(const rgw_user& user); - int get_mfa_ref(const rgw_user& user, rgw_rados_ref *ref); - int check_mfa(const rgw_user& user, const string& otp_id, const string& pin); - int create_mfa(const rgw_user& user, const rados::cls::otp::otp_info_t& config, - RGWObjVersionTracker *objv_tracker, const ceph::real_time& mtime); - int remove_mfa(const rgw_user& user, const string& id, - RGWObjVersionTracker *objv_tracker, const ceph::real_time& mtime); - int get_mfa(const rgw_user& user, const string& id, rados::cls::otp::otp_info_t *result); - int list_mfa(const rgw_user& user, list *result); - int otp_get_current_time(const rgw_user& user, ceph::real_time *result); - - /* mfa interfaces used by metadata engine */ - int set_mfa(const string& oid, const list& entries, bool reset_obj, - RGWObjVersionTracker *objv_tracker, const ceph::real_time& mtime); - int list_mfa(const string& oid, list *result, - RGWObjVersionTracker *objv_tracker, ceph::real_time *pmtime); private: /** * This is a helper method, it generates a list of bucket index objects with the given diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index bbb7e79acd1..1efb4bdabfd 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -48,6 +48,7 @@ #include "rgw_zone.h" #include "services/svc_zone.h" +#include "services/svc_mfa.h" #include "include/ceph_assert.h" #include "rgw_role.h" @@ -3893,7 +3894,7 @@ static int verify_mfa(RGWRados *store, RGWUserInfo *user, const string& mfa_str, return -EACCES; } - int ret = store->check_mfa(user->user_id, serial, pin); + int ret = store->svc.mfa->check_mfa(user->user_id, serial, pin, null_yield); if (ret < 0) { ldpp_dout(dpp, 20) << "NOTICE: failed to check MFA, serial=" << serial << dendl; return -EACCES; diff --git a/src/rgw/services/svc_mfa.h b/src/rgw/services/svc_mfa.h index be51cbdbc87..ccc97fdcb55 100644 --- a/src/rgw/services/svc_mfa.h +++ b/src/rgw/services/svc_mfa.h @@ -28,10 +28,6 @@ class RGWSI_MFA : public RGWServiceInstance RGWSI_Zone *zone_svc{nullptr}; RGWSI_RADOS *rados_svc{nullptr}; - string get_mfa_oid(const rgw_user& user) { - return string("user:") + user.to_str(); - } - int get_mfa_obj(const rgw_user& user, std::optional *obj); int get_mfa_ref(const rgw_user& user, rgw_rados_ref *ref); @@ -47,6 +43,10 @@ public: zone_svc = _zone_svc; } + string get_mfa_oid(const rgw_user& user) { + return string("user:") + user.to_str(); + } + int check_mfa(const rgw_user& user, const string& otp_id, const string& pin, optional_yield y); int create_mfa(const rgw_user& user, const rados::cls::otp::otp_info_t& config, RGWObjVersionTracker *objv_tracker, const ceph::real_time& mtime, optional_yield y); -- 2.39.5